A guide to help local authorities understand the threat from cyber attacks, produced by central government.
On average, 33,000 malicious emails are blocked from accessing public sector systems every month and this is just one of the many different types of attack government and wider public service systems must defend against.
Whilst the level of threat will vary across local authorities they all possess information or infrastructure of interest to malicious cyber attackers.
Council employees can also be targets for criminal activity.
Across the country local government IT departments are working hard to reduce these threats every day and the support of senior officers and councillors is vital to ensuring the continued focus and profile of this work.
This guide is intended to help the non-technical reader understand the threats and what can be done to reduce their organisations’ vulnerability to security incidents and cyber-attacks.
Cybercriminals’ principal goal is to monetise their attacks.
The most common form of cyber-attack against public bodies is the use of false or stolen customer credentials to commit fraud.
The uptake in online services means this form of crime can now be done on a much larger scale and foreign nationals as well as onshore criminals can defraud local authorities from outside the UK.
Cybercriminals also seek to steal data from government networks that has a value on the black market, such as financial information or data that can be used for ID theft.
Several types of malware have been specifically designed by cybercriminals to exploit e-banking details or log-in information. These include Shylock, Gameover Zeus and Citadel.
Such malware is sometimes found on public sector networks, but financial and commercial organisations are more likely to be targeted.
Cybercriminals often want to control computer infrastructure and use it as a platform for carrying out other activity such as sending spam and phishing emails.
Government networks are an attractive target.
These groups also launch ransom attacks, locking victims out of their data and only providing the key once money is paid.
Although the victims are usually members of the public and sometimes small organisations, the criminals often purport to come from a public agency leading to the potential for reputational damage.
Despite the continued success of National Crime Agency (NCA) and FBI operations in the USA, cybercriminals adapt their methods and tools to counter law enforcement action.
It therefore takes a sustained campaign to keep cybersecurity standards up to date.
Removing malware from a network is a complex and time-consuming task that would have a significant impact on the running of an organisation, especially if a network needs to be shut down – so prevention is better than cure.
Public bodies that fail to secure personal data will be investigated by the Information Commissioner and can expect a fine if found negligent.
Hacktivists crave publicity.
For them, success is for example causing embarrassment or annoyance to the owners of high-profile websites and social media platforms that they deface or take offline.
When targeted against local government websites and networks, these attacks can cause reputational damage locally and to the UK at home and abroad.
Hacktivist groups have successfully used distributed denial of service (DDoS) attacks to disrupt the websites of UK local authorities.
A DDoS is when a system, service or network is burdened to such an extent by an electronic attack that it becomes unavailable.
If targeted at online public services (such as UK visas, Universal Credit, Council Tax payments) this kind of attack would cause financial, as well as reputational harm.
A May 2014 global survey commissioned by BT showed, on average, organisations take 12 hours to recover fully from an especially powerful DDoS attack.
If online services are regularly disrupted by cyber-attacks this could lead to the erosion of public confidence in using such services.
Lone hacktivists can pursue their own personal agenda.
They do not require detailed technical knowhow to achieve their goal.
There are many commercially available hacking tools which have easy, step-by-step guides providing motivated but low-skilled individuals with the opportunity to gain illegitimate access to networks.
The social media accounts (Facebook, Twitter and LinkedIn) of local authorities and individuals can be hijacked and misleading information posted.
An insider is someone who exploits, or intends to exploit, their legitimate access to an organisation’s assets for unauthorised purposes.
Such activity can include: Unauthorised disclosure of sensitive information Facilitation of third party access to an organisation’s assets Physical sabotage Electronic or IT sabotage Not all insiders deliberately set out to betray their organisation.
An unwitting insider may compromise their organisation through poor judgement or due to a lack of understanding of security procedures.
The insider threat is not new, but the environment in which insiders operate has changed significantly.
Technological advances have created broader opportunities for staff at all levels to access information.
These advances have also made it easier for insiders to collate, remove and circulate vast volumes of sensitive data and local authorities are at risk.
Although the number of potential insiders within an organisation is proportionately very small, the potential impact on government and wider public sector is significant.
The increasing reliance on digital services brings with it an increased vulnerability in the event of a fire, flood, power cut or other disaster natural or otherwise that impact upon local government IT systems.
Authorities take a range of approaches to mitigating threats in this area ranging from accepting the risk (for low impact services), to ensuring information is backed up off site (for medium impact services), having plans in place to recover services in an alternative location (for high impact services), to full resilience across more than one location (for very high impact services).
Many local authorities are starting to share services and locations to provide resilience in a cost effective way.
Some terrorist groups demonstrate intent to conduct cyber-attacks, but fortunately have limited technical capability.
Terrorist groups could acquire improved capability in a number of ways, namely through the sharing of expertise in online forums providing a significant opportunity for terrorists to escalate their capability.
So whilst many hacktivist groups do not pose a significant threat to the UK, they do possess skills and capabilities which are desired by some terrorist groups.
Terrorists may learn from large-scale data deletion attacks – such as the attack against the Saudi Arabian national oil company, Saudi Aramco, in which data on 30,000 computers was lost – and aspire to have the same impact in the UK.
Several of the most sophisticated and hostile foreign intelligence agencies target UK government and public sector networks to steal sensitive information.
This could ultimately disadvantage the UK in diplomatic or trade negotiations, or militarily.
In a recent case a hostile, state-sponsored group gained access to a system administrator account on the Government Secure Intranet.
Fortunately this attack was discovered early and dealt with to mitigate any damage but it and the example below from Canada illustrates the potential threat from cyberespionage in this way to both central and local government.
The internet’s global nature enables hostile foreign intelligence agencies to conduct espionage on an ever-increasing scale with the added benefit of using deniable infrastructure to keep their activity hidden.
This technical infrastructure allows sophisticated state actors to obfuscate their location, making Government networks an attractive target for state cyber programmes.
Employees are also a target for hostile foreign intelligence agencies.